diTii.com - All About Techology : features Latest News and Informtion About Technology

A little more than a year ago, Sebastian Krahmer posted a question on the Dailydave security mailing list whether Vista’s speech recognition was exploitable or not via malicious sound files that could be hosted on websites. I was the first to answer his call with some initial skepticism but that turned in to astonishment when […]

Share online:

A little more than a year ago, Sebastian Krahmer posted a question on the Dailydave security mailing list whether Vista’s speech recognition was exploitable or not via malicious sound files that could be hosted on websites. I was the first to answer his call with some initial skepticism but that turned in to astonishment when I ran some tests that confirmed the vulnerability. Stories ran a few months ago before the finalization of Vista Service Pack 1 that SP1 would close this speech recognition vulnerability but I couldn’t get any confirmation or denial from Microsoft after multiple queries. I finally got tired of waiting and decided to test the exploit again with Vista SP1 RTM installed and found that the vulnerability still exists.

The test sound file I created managed to wake Vista speech recognition, highlight all the files on my desktop or all my pictures via Windows Explorer, and invoke the shift-delete command which wipes the files without the ability to undelete from the Recycle Bin. I could also open Internet Explorer and invoke TinyURL addresses which in turn redirect to some other malicious executable. While the damage is limited to the user space since Vista speech recognition can’t get around the UAC prompt (assuming it’s on), code execution in the user space is still a serious vulnerability.

Post navigation

About The Author

Deepak Gupta is a IT & Web Consultant. He is the founder and CEO of diTii.com & DIT Technologies, where he's engaged in providing Technology Consultancy, Design and Development of Desktop, Web and Mobile applications using various tools and softwares. Sign-up for the Email for daily updates. Google+ Profile.